Mod_auth_kerb and Kerberos

Similar Messages

• 10.6.6 Server Combo Update Crashes LDAP and Kerberos Services

  Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
  Everything was working fine under 10.6.4
  All users can no longer authenticate to server via mail or ldap logins
  LDAP and Kerberos Services stopped.
  Will downgrade from an open directory master to standalone then back to master again and post status...

  I think there is something with LDAP on 10.6.6
  I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
  It seems to be an issue on ldap ACL.
  Message was edited by: Xalio

• Configure CRS2008 to using AD and Kerberos with Java application servers.

  Hi All,
  I have configure CRS2008 to using AD and Kerberos with Java application servers. Domain Controller is installed on W2K3 Server. In addition, CRS2008 is installed on another W2k3 Server.
  I have create service account in domain controller: CMSACC
  I have create two user account: CRuser1 and CRuser2
  I have create domain group: CRSGroup
  After I had run the setspn in domain controller,I got the message at below:
  Registered ServicePrincipalNames for CN=CMSACC, OU=TEST, DC=BD, DC=com:
      BOBJCentralMS/BDMGTSRV.BD.com
  CMC Setting:
  AD Administration Name: BD\administrator
  Default AD Domain: BD.com
  Add AD Group(Domain\Group): secWinAD:CN=CRSGroup,OU=TEST,D=BD,DC=com
  Service principal name:BOBJCentralMS/CMSACCatBD.com
  I have create a WINNT folder in root directory.Moreover and save bcsLognin.conf and Krb5.ini at here.
  bscLogin.conf:
  com.businessobjects.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required;
  krb5.ini:
  [libdefaults]
  default_realm = BD.com
  dns_lookup_kdc = true
  dns_lookup_realm = true
  [realms]
  forwardable = true
  BD.com = {
  default_domain = BD.com
  kdc = BDMGTSRV.BD.com
  I have tested the Kerberos,using kinit CMSACCatBD.com password, and got error message at below:
  Exception: krb_error 41 Message stream modified (41) Message stream modified
  KrbException: Message stream modified (41)
          at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
          at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
          at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:486)
       at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:444)
       at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
       at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
       at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
  My problem is failed to logon CMC and infoview and got error message at below:
  Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserNameatDNS_DomainName, and then try again.
  Actually, I am sucessful to logon Business View manager with CRuser1. However, I fail to logon CMC and infoview and got the above error. Have you any suggestion to solve this problem?
  Ken.

  if you can logon with client tools then that should be an indication that the service account running the CMS IS working! Good news.
  So the problem is likely with the java portion (krb5/bsclogin or java options)
  If the files are in c:\winnt\ (if not copy them there) and perform c:\program files\business objects\javasdk\bin\kinit username
  then enter and password/enter again
  Probably get the same message. To note in your krb5.ini all domain info must be in CAPS (the .com appears to be in lower case)
  kinit works with just the krb5.ini, java SDK and AD (removing BO config and the service account from the picture). Once that works if your java options are specified properly you should be able to login to CMC/infoview.
  also 1 last point. Add udp_preference_limit = 1 to the krb5 lib defaults section
  libdefaults
  default_realm = BD.com
  dns_lookup_kdc = true
  dns_lookup_realm = true
  udp_preference_limit = 1
  Regards,
  Tim

• DCOM Event ID 9 and kerberos Event ID 4 in SCCM Primary server

  I could see  that DCOM Event ID 9 and kerberos Event ID 4  is continously happening for  workstations in SCCM Primary Servers.Why this is happening..

  Yes, I know this is an old post, but I’m trying to clean them up.
  Why do you think this is a CM07 issue?  A quick Bing search suggest this is an AD issue and has nothing to do with CM07.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Services servers with CNAME and kerberos

  Hello.
  My problem:
  I have an OD master xserver1.mydomain.com and an other server xserver3.mydomain.com.
  My DNS is OK direct and reverse, authentication works fine.
  My problem is that I want use CNAME for my services offered by xserver3.mydomain.com. (imap, pop, smtp and others).
  So I have some CNAME entries in my DNS as imap.mydomain.com, pop.mydomain.com, smtp.mydomain.com which all point to  xserver3.mydomain.com therefore:
  host imap.mydomain.com gives 10.1.0.10 and host 10.1.0.10 gives xserver3.mydomain.com (all is regular).
  When I connect my mail client, if I set the "incoming mail server" to xserver3.mydomain.com, kerberos authentication is OK (TGT and SGT are brought) and mail works fine.
  If I connect my mail client with "incoming mail server" set to imap.mydomain.com (the CNAME), kerberos authentication is not  OK (TGT is brought but not SGT) and mail does not work.
  If I connect my mail client with "incoming mail server" set to imap (CNAME without domain name), kerberos authentication is nearly  OK (TGT and SGT are brought)) but mail is very slow and some mail folder sync does not seem to work!
  I have tried to remove imap service principals on my mail server imap/[email protected] and create new imap service principals with CNAME as : imap/[email protected] but it doesn't work.
  Any idea to do?

  Thanks for reply.
  Ok for RFCs but my mail server work very fine for long years with client set with server CNAME. Even certificates are OK if the common name is this one given as CNAME.
  Th only problem I have kerberos as explained.
  I search for the way to have friendly services name for my mail clients and in the same time keep all functionalities (SSL and kerberos).
  Maybe with multiples ip for the same network interface on my mail server and an A entry for each?

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication

  This is similar to
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/66c23aae-8774-4257-b9f9-b796e69b0318/action?threadDisplayName=publishing-sharepoint-2010-using-web-application-proxy
  However I have tried his resolution to no avail.
  I am trying to publish a SharePoint 2013 website via web application proxy. SharePoint 2013 is using negotiate (Kerberos) as its authentication provider. When trying to browse to the site externally via the WAP I get an http error 500 internal server error.
  In the web application proxy's event viewer I find the following two entries every time I try to browse the site.
  event ID 13019
  level: warning
  Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
  (0x8009030e).
  Details:
  Transaction ID: {5672be45-a4b8-0005-58ff-7256b8a4cf01}
  Session ID: {5672be45-a4b8-0000-3909-7356b8a4cf01}
  Published Application Name: sharepoint
  Published Application ID: ****
  Published Application External URL: https://sharepoint.domain.com
  Published Backend URL: https://sharepoint.domain.com
  User: [email protected]
  User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
  Device ID: <Not Applicable>
  Token State: OK
  Cookie State: NotFound
  Client Request URL:
  https://sharepoint.domain.com/home?authToken=****client-request-id=****
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode: WIA
  State Machine State: BackendRequestProcessing_Pending
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>"
  And
  event ID 12027
  level: error
  Web Application Proxy encountered an unexpected error while processing the request.
  Error: No credentials are available in the security package
  (0x8009030e).
  Details:
  Transaction ID: ****
  Session ID: ****
  Published Application Name: Sharepoint
  Published Application ID: ****
  Published Application External URL: https://sharepoint.domain.com/
  Published Backend URL: https://sharepoint.domain.com/
  User: [email protected]
  User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
  Device ID: <Not Applicable>
  Token State: OK
  Cookie State: NotFound
  Client Request URL:
  https://gateway.dcsch.co.uk/home?authToken=****client-request-id=****
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode: WIA
  State Machine State: OuOfOrderFEHeadersWriting
  Response Code to Client: 500
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>"
  I have tried everything I have seen in many posts and the one linked above but cannot get this working. It does work fine internally.

  And within the next 10 minutes I found this
  http://technet.microsoft.com/en-us/library/dn308246.aspx#Kerberos
  Needed to set up delegation to ANY service in the Web application proxy

• Windows 8 - user login and Kerberos Realm problems.

  Hi,
  Just installed Windows 8 Enterprise x64 from our MDT into our production enviroment for some final testing. I have done this with both Consumer and the Release Preview just to make sure our infrastructure can support user that want to run Windows 8 (Win
  7 Enterprise will still be the default OS for our client desktops).
  The problem I reported here with the Consumer Preview
  http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/069f59be-b89c-4005-8cd2-ff5fd756825a is still alive and kicking.
  Logon after fresh reboot. (Windows 8)
  Username: XWYZ
  Password: *********
  Sign in to: "OURKERBEROSREALM.SE"
  We authenticate all our users with our Kerberos Realm and in our AD's all user passwords are random dummy placeholders, and are linked to the Kerberos realm.
  When a user lock their computer, or put it in sleep mode, they should see this at their login.
  XWYZ (their full name)
  "OURKERBEROSREALM.SE\XWYZ(their username)
  Locked
  Password: ********
  But it does not show this… it shows:
  XWYZ (their full name)
  WINDOWS DOMAIN NAME\XWYZ(their username)
  Locked
  Password: ********
  This meens that when they want to unlock their desktop, or login after sleep, it will try and authenticate their login on the domain AD and not the Kerberos realm. Howver if you choose to go back and select "other user" it defaults back to using "OURKERBEROSREALM.se"
  as "Sign in to:" domain.
  This worked flawlessly in XP, Vista and Windows 7, but not in Windows 8. Not having our Kerberos realm as default login in every scenario is kind of a bummer.

  I had some brief time looking into this, and my awesome workbuddy found that you can poke about the keys found in
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1
  With the LastLoggedONSAMUser and LastLoggedOnUser values I changed from from "domain"\username to "kerberosrealm"\user, and when locking my computer or restating, I now have no need to choose "other user" every time I want to login again.
  Atleast somewhere to start.

• Different between SSO using X.509 and Kerberos

  Dear Experts,
  When trying to decide which route to go for SSO X.509 certificate or Kerberos token for SAP Abap system only , I am a bit confused.
  These are the main steps for using X.509. All the documents I found only talk about installing Secure Login Server on AS Java by using Telnet/JSPM deployment. Can we not do the same for AS Abap? If that is true, does that mean X.509 certificate can only be using for ABAP + JAVA systems and not for Abap only?
  X.509 Certificate:
  1. Install and Configure Secure Login Server on SAP AS Java system.
  2. Intall Secure Login Client
  3. Install and Configure Secure Login Library on SAP AS ABAP
  4. Configure User Mapping in SAP AS ABAP/JAVA
  On the other hand Kerberos seems much simpler because installation of Secure Login Server is not required for AS ABAP.
  1. Install and Configure Secure Login Library
     Configure SPNEGO & SNC in SAP AS ABAP
  2. Install Secure Login Client
  3. Configure user mapping in AS ABAP.
  Kindly advise.

  We don't intend to use this on other web applications except for web gui.
  From what I understood, we create 2 values for "servicePrincipalName" for the user in AD. One for SNC interface for Gui and the other entry to web interface for web gui users and with SNC/SPNEGO configured, Kerberos keyTab also configured for SAPNEGO/SNC in ABAP , users should be able to login to gui and web gui.
  That said, below are our current versions. Do we still have to upgrade kernel version?
  S/W component     Release  Level      Highest Support Package
  SAP_BASIS             702         0012     SAPKB70212
  Kernel
  kernel make variant           720_REL , Unicode, AIX 64 BIT, Patch number 500.

• Mail and Kerberos problem

  Mail client: 10.7.4
  Mail server: 10.6.8
  Mail protocol: imap
  Authentication: Kerberos V5
  The problem: when I login on my client, a TGT is acquired normally, klist shows it, and if I launch Mail, mail get a imap service ticket and all works fine.
  When my TGT expires, I cannot get a new TGT otherwise than a kinit, which is unacceptable for my users. Before, whith Snow Leopard or Leopard mail client, if no TGT was present on client, mail poped up a specific kerberos dialog box to ask the password and then get a new TGT and imap service ticket. It is anyway the actual behavior with others services as AFP for example.
  I have try to create an user Launch Agent which make a kinit periodically, but when the Mac client get out of long sleep state, the TGT is expired and I have no way to launch my script at this moment.
  To reproduce the problem with no ticket at sequence start:
  foo-mac1:~ foo$ klist
  klist: krb5_cc_get_principal: No credentials cache file found
  foo-mac1:~ foo$ kinit  kinit [email protected]
  foo-mac1:~ foo$ klist
  Credentials cache: API:501:12
          Principal: [email protected]
    Issued           Expires          Principal
  Jul  5 10:41:50  Jul  5 20:41:50  krbtgt/[email protected]
  A this point, I launch Mail, a service ticket is created, my account is connected and well working.
  foo-mac1:~ foo$ klist
  Credentials cache: API:501:12
          Principal: foo@XSERVER1. MYDOMAIN.NET
    Issued           Expires          Principal
  Jul  5 10:41:50  Jul  5 20:41:50  krbtgt/XSERVER1. MYDOMAIN.NET@XSERVER1. MYDOMAIN.NET
  Jul  5 11:01:22  Jul  5 20:41:50  imap/xserver3.mydomain.net@XSERVER1. MYDOMAIN.NET
  I quit mail and delete my TGT.
  foo-mac1:~ foo$ kdestroy
  foo-mac1:~ foo$ klist
  klist: krb5_cc_get_principal: No credentials cache file found
  If I launch Mail, my account cannot connect and does not propose password dialog as precedent versions so I cannot re-create TGT and imap service ticket otherwise than kinit.
  moreover, Mail log a logic entry:
  03/07/12 17:04:52,838 Mail: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found (negative cache))
  03/07/12 17:04:52,838 Mail: [<_LibSasl2SASLClient: 0x7f951dd4f080> mechanism: GSSAPI security layer: no] Failed to start the SASL connection
  SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found (negative cache))
  Do you have an idea to make Mail propose an user friendly dialog box when TGT expires or do you have an idea to launch a script when a Mac get out of sleep?

  No solution at this point. Now we are seeing the same problem trying to authenticate radius users. Extremely frustrating!
  /var/log/system.log:
  Sep 19 11:22:58 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
  Sep 19 11:22:58 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
  Sep 19 11:24:05 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
  Sep 19 11:24:05 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
  Sep 19 11:26:27 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
  Sep 19 11:26:27 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
  /var/log/radius/radius.log:
  Fri Sep 19 14:21:56 2008 : Error: rlm_mschap: authentication failed -14090
  Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  Fri Sep 19 14:28:48 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
  I'm wondering if it's trying to use the wrong auth mech at first. I see the user come in with a successful DIGEST-MD5 during the problem, then successful MS-CHAPv2 following the password reset. Resetting the user's password "fixes" the issue. Until it happens again at an unspecified time.

• Ssrs 2008 and Kerberos both work separately; but not together

  Sorry that this question is very similar to some others that have been asked on this forum. Unfortunately, none of the solutions I've been able to find here or elsewhere have solved my problem.
  I'm trying to create some reports on data in a SharePoint site. SharePoint is version 2010 and my SQL Server Reporting Services (SSRS) is running off of SQL Server 2008 (NOT 2008 R2). Both these systems have been in use by my organization for some time and
  sadly upgrading them is not practical in the immediate future.
  I know that I have Kerberos working properly on the Reporting Server because I created a test report that draws data off of another SQL Server -- not a SharePoint site -- and I can demonstrate a successful double-hop by running that report from a client
  machine such as my development PC. (authenticates client -> ssrs server -> data server  with no problems)
  Since SSRS 2008 and SharePoint 2010 aren't directly compatible (from what I've been able to find) I've set up SharePoint as an XML data source within my report. I know that the data source is working and authenticating on it's own, because
  if I access the report server web service directly from the machine that's hosting SSRS, I can run my SharePoint XML data source report properly.
  However, when I try to run the SharePoint XML data source from a client machine (thus requiring a double-hop) I receive the following error:
  The remote server returned an error: (401) Unauthorized. (rsXmlDataProviderError)
  All of my SharePoint web applications are set up to use Kerberos authentication, all of my SharePoint and SSRS service accounts are set up for delegation, and I've checked my SPN's numerous times to ensure that there are no duplicates and that all involved
  servers and ports have been accounted for. My SSRS config file has authentication set to "Negotiate."
  I'm obviously missing something, but I've reached the point where reading troubleshooting guides and set up instructions is just leaving me repeating things I've already tried. If anyone has any advice that could point me in the right direction on this problem,
  I would greatly appreciate it!

  Hi,
  Have you checked the following similar article if you used the "Credentials stored securely in the report server" option? Please let us know your results.
  http://stackoverflow.com/questions/15033100/error-while-passing-credentials-from-ssrs-to-sharepoint-data-source
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/ab4ce91f-f1db-4567-a40a-7a11d02cbc05/ssrs-and-sharepoint-list-the-remote-server-returned-an-error-401-unauthorized?forum=sqlreportingservices
  http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
  Thanks,
  Daniel Yang
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] 
  Daniel Yang
  TechNet Community Support

• Hostname is .local and Kerberos problems

  Hi
  Having problems with our new xserve. The computername as set in server admin is 'serverx' which is giving a local hostname of serverx.local. I have DNS running with one zone of <domainname>.org.uk, servername of serverx giving a FQSN or serverx.<domainname>.org.uk
  However i had an email out from the mailman mailing list asking for permission to allow a post to a mailing list and it had the link to click on as http://Serverx.local/mailman/.....
  Obviously i'd like this to be http://serverx.<domainname>.org.uk
  This also extends to the server's searchbase, which on the old server we migrated from was dc=<hostname>,dc=org,dc=uk which now is showing as dc=serverx,dc=local under opendirectory - settings - protocals
  The Open directory pane shows everything running apart from Kerberos which is stopped. If i try and kerberize the server using the realm name of <DOMAINNAME>.ORG.UK it whirrs away before returning me to the 'kerberize the open directory master' dialogue. Looking at the slapconfig log i get the errors...
  The KDC is not running error = 3
  failed to configure error = 3
  Is there a way to change this so that the domain name and seachbase are correct and how do i get the KDC to run so i can kerberize the server.
  Hope some of that makes sense...
  Thanks
  Quad 2GHz Intel Xserve   Mac OS X (10.4.9)   2GB ram

  I had similar issues with .local and trying to migrate away. I decided to manually massage a backup into the non-.local domain. It worked for me, but I will stress that you should make a copy of your backup to do this on.
  First, decide what new domain you want to use. If you're building on a private network, you can use a non-valid domain, like '.int' . Setup your DNS.
  Use Server Admin to make a backup of your OD Domain. Make a copy. Burn it to CD. We don't want the original to change.
  Kerberize to the new domain. Make a new backup and burn it to CD as well.
  Open a modifiable copy of the backup. In it are many files, most of them are straight text files of one flavor or another. Time to get dirty...
  Backup.ldif is the big file to work with. You must go in and change all of the olddomain.locals to newdomain.tla (this is pseudocode, please use your own domains where you see these two.) You must also change all of the dc=olddomain,dc=local to dc=newdomain,dc=tla . The fun about this file is that Apple wraps it manually, which makes search and replace tedious, as there will be some of these things at the end of lines. The good news is that they are far from random, so you can search for parts of the name (local is a good search) and find the next iteration. Here are a couple examples...
  ...dc=ol
  ddomain,dc=local
  ...dc
  =olddomain,dc=local
  ...dc=olddoma
  in,dc=local
  The key is to search and replace the whole thing at once. I used textedit and pasted the entire offending text into the find box, then replaced with the proper new dc= values. You need not worry about wrapping, the importer doesn't care. The key is to make sure that you get it all.
  Now do the same with all of the other files. I didn't touch authservermain, which already had the new Kerberos domain in it. I did modify these files...
  Backup.ldif
  authserverreplicas
  authserveroverflow.x
  DSLDAPv3PluginConfig.plist
  slapd_macosxserver.conf
  local.dump
  local.krb5realm
  Make sure to check the other files, as different configurations will yield info in different files.
  Once you are done with this, it's time to turn your nice pretty domain into a standalone. It appears that the archive and restore tools are much better in 10.4.x that older versions, so it actually works to restore things. There was one caveat. My standalone seemed to ignore the /etc/krb5adm.keytab, which then caused the conversion to Master domain to hang. Move to krb5adm.keytab.old it in case you need to restore.
  Make your server a Master again, this time with the new FQDN and search string.
  Import your modified backup. Your users should now be in place, although I lost my domain admins in the process.
  Finally, backup your domain, revert to standalone, toss the .keytab, convert to Master, and restore. This last step converts the bdb back into text, then back to the bdb. I was having a little strangeness until I did this step, which I believe clears up some cruft.
  Here are the benefits that I've seen in this process...
  - Passwords translate
  - migration is complete to new domain
  - easily restorable and/or recoverable
  Of course, your mileage may vary.

• 10.5.2 totally broke SMB and AFP shares (and kerberos) on my network

  Hey Folks,
  I'm really kicking myself for not testing 10.5.2 first... this is a disaster for me.
  After installing, I can no longer access any SMB or AFP shares (regardless of host OS) using my kerberos ticket (granted from Tiger Server).
  If I use the GO menu and Connect To Server it also fails, almost instantly. The server logs suggest its not even trying.
  I have totally lost access to all of my shares, ssh with kerberos is broken...
  Anyone else seeing problems?
  Leopard in general introduced some issues with the local KDC on each machine trusting mdns...its a way to make back to my mac work ... and it broke SMB for me and a lot of people, but it wasn't the end of the world since I was sharing everything via AFP as well. Now that AFP is broken too I'm at a loss...100% down.

  Something I have been messing with is my mit.edu.Kerberos file, located in System/Library/Preferences.
  Take a Tiger machine, and use Text Editor to look at it's mit.edu.Kerberos file. Then, do the same with the Leopard machine. I've been trying to get Leopard to work with the Tiger kerberos settings, without luck so far. But it's a step in the right direction. Try this for starters:
  On my system, when I try to use Connect to Server with the Finder, it gives me the vague "Volume Couldn't Mount" error.
  Make a backup of mit.edu.Kerberos on your Leopard machine (use a test machine if possible, not a production machine). Then, delete the original file and reboot.
  Try to COnnect TO server again. On my machine, I'm given a login prompt, which if I re-authenticate, I'm able to connect to the share. Your previously deleted mit.edu.Kerberos file has been recreated after this point. I'm not sure how permanent of a solution it is, however.
  But it's something to tinker with if you're so inclined.

• Proxy Auth authentication required and kerberos

  Hi All
  Oracle supports the proxy auth trusted subsystem which allows greater scalability through the use of a system wide connection pool. There is a configuration option to "authentication required" to the proxy auth system.
  Oracle also support kerberos authentication for external users.
  What I would like to know is whether the proxy_auth authentication required is compatable with kerberos authentication. That is can I configure proxy auth to authenticate the tunneled user using kerberos.
  Thanks
  Edited by: user8002300 on 28/10/2009 16:47

  Hi,
  What you can do is to set up a reverse and the forward proxy. When the client hits the first proxy it should be configured as a reverse proxy which will redirect the request to the second proxy (this will be a reverse proxy) which will connect to the internet.
  Hope this helps.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• Instant Client 11.1.0.1, Perl DBD::Oracle, and Kerberos

  Hi all,
  I'm trying to get an Instant Client working so I can connect to remote server and sync the data up with our own. It works, but there is a problem. Basically, if I connect via the Perl DBI and DBD::Oracle, Kerberos authentication bits get screwed up for the rest of the process. If I connect to the remote server, and then a local non-Oracle service via Kerberos, the latter fails. Note that, if done separately, they work fine.
  Looking into it, it appears that it wants to open the file /krb5/krb.conf, which doesn't exist for me (/etc/krb5.conf is the Kerberos config file). I found something online (http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96573/asoappb.htm) that suggests that I should change some KERBEROS* parameters in $ORACLE_HOME/network/admin/sqlnet.ora. Either I'd like to have it try to open the right Kerberos config, or just ignore Kerberos altogether. Unfortunately, I have an old sqlnet.ora, that appears to have been generated by some external interface, and I'd like to maybe do this again, the "right way".
  [koczan@ator] ~ $ cat /s/oracle-csl/network/admin/sqlnet.ora
  # SQLNET.ORA Network Configuration File: /local.gazoo/oracle/network/admin/sqlnet.ora
  # Generated by Oracle configuration tools.
  NAMES.DEFAULT_DOMAIN = cs.wisc.edu
  NAMES.DIRECTORY_PATH= (TNSNAMES)
  The other thing I'm wondering is why it's even looking at Kerberos. Doing ldd on the sqlplus binary, the libraries, and the DBD::Oracle shared library showed no reference to Kerberos.
  [koczan@ator] ~ $ ldd /s/oracle-csl/perl5/lib/site_perl/5.8.6/i686-linux-64int/auto/DBD/Oracle/Oracle.so
  linux-gate.so.1 => (0x0043d000)
  libclntsh.so.11.1 => /s/oracle-csl-0/lib/libclntsh.so.11.1 (0x00783000)
  libocci.so.11.1 => /s/oracle-csl-0/lib/libocci.so.11.1 (0x00110000)
  libociei.so => /s/oracle-csl-0/lib/libociei.so (0x02cf2000)
  libc.so.6 => /lib/libc.so.6 (0x00272000)
  libnnz11.so => /s/oracle-csl-0/lib/libnnz11.so (0x004ea000)
  libdl.so.2 => /lib/libdl.so.2 (0x003b2000)
  libm.so.6 => /lib/libm.so.6 (0x003b6000)
  libpthread.so.0 => /lib/libpthread.so.0 (0x003dd000)
  libnsl.so.1 => /lib/libnsl.so.1 (0x003f4000)
  libaio.so.1 => /usr/lib/libaio.so.1 (0x0040b000)
  libstdc++.so.6 => /s/gcc-3.4.4/i386_cent40/lib/libstdc++.so.6 (0x0215a000)
  libgcc_s.so.1 => /s/gcc-3.4.4/i386_cent40/lib/libgcc_s.so.1 (0x0040d000)
  /lib/ld-linux.so.2 (0x004cf000)
  So, is there something I'm missing? What would be a good way to make everything happy? I tried looking online for this, and asking the DBD::Oracle people, and I couldn't find anything.
  I'm running Instant Client 11.1.0.1 on Red Hat Enterprise Linux 5.1, Perl 5.8.8, DBI 1.602, DBD::Oracle 1.19, Kerberos 1.6.2.
  Thanks. I know this was a lot of info and questions for this, but any help would be appreciated.

  There's no SQLNET.AUTHENTICATION_SERVICES set in my sqlnet.ora. I assume it's using some sort of default or trying everything, is there a way to tell what it's doing even though nothing is set?
  All I need to do is connect via password-based authentication to a remote server. What should SQLNET.AUTHENTICATION_SERVICES be set to for that?
  I couldn't find any clear resource documenting SQLNET.AUTHENTICATION_SERVICES, if you could point me to one that would be excellent.
  Thanks.
  P.S. Here's the entirety of my sqlnet.ora file.
  # SQLNET.ORA Network Configuration File
  # Generated by Oracle configuration tools.
  # Originally on gazoo - /local.gazoo/oracle/network/admin/sqlnet.ora
  # Modified for use with Oracle InstantClient
  NAMES.DEFAULT_DOMAIN = cs.wisc.edu
  NAMES.DIRECTORY_PATH= (TNSNAMES)
  SQLNET.KERBEROS5_CONF=/etc/krb5.conf